VPNs are basically useless as confirmed through testing.

[ChitterCharmer]

Summary

In two related studies researchers have found a way to sidestep VPNs anonymizing features. One that targets everything but Android and releases all information to the hostile network. The other confirming a separate yet equally active bug in Android that leaks DNS information at specified, yet often situations.

 

Quotes

Quote

About TunnelVision:

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then. ...

 

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. ...

 

The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that’s diverted away from this tunnel will not be encrypted by the VPN and the Internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

 

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.

 

About the Android DNS bug:

A Mullvad VPN user has discovered that Android devices leak DNS queries when switching VPN servers even though the "Always-on VPN" feature was enabled with the "Block connections without VPN" option. ...

 

Mullvad found out while investigating the issue spotted on April 22, an Android bug leaks some DNS information even when these features are enabled on the latest OS version (Android 14).

 

This bug occurs while using apps that make direct calls to the getaddrinfo C function, which provides protocol-independent translation from a text hostname to an IP address.

 

They discovered that Android leaks DNS traffic when a VPN is active (but no DNS server has been configured) or when a VPN app re-configures the tunnel, crashes, or is forced to stop. ...

Mullvad said that the first DNS leak scenario, where the user switches to another server or changes the DNS server, can be mitigated easily by setting a bogus DNS server while the VPN app is active.

 

However, it has yet to find a fix for the VPN tunnel reconnect DNS query leak, which is valid for all other Android VPN apps seeing that they're also likely impacted by this issue. ...

 

Given the seriousness of this issue, you may want to stop using Android devices for sensitive activities or implement additional safeguards to mitigate the risk of such leaks until Google resolves the bug and backports the patch to older Android versions.

My thoughts

 I genuinely think that this has wide reaching implications for the tech industry at large. The Android Bug can be fixed more easily then the TunnelVision vulnerability. Which could lead a lot of security driven users to follow a protocol of connecting to their mobile device after making sure it is on fully, doing what they need to do, disconnecting their device, then disconnecting their phone. This leak and bug discovery affects security as a whole and I think it is interesting how LONG this vulnerability has been in the wild by researcher calculation.

 

Sources

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

 

https://www.bleepingcomputer.com/news/security/android-bug-leaks-dns-queries-even-when-vpn-kill-switch-is-enabled/amp/

[Dedayog]

9 minutes ago, ChitterCharmer said:

Summary

In two related studies researchers have found a way to sidestep VPNs anonymizing features. One that targets everything but Android and releases all information to the hostile network. The other confirming a separate yet equally active bug in Android that leaks DNS information at specified, yet often situations.

 

Quotes

My thoughts

 I genuinely think that this has wide reaching implications for the tech industry at large. The Android Bug can be fixed more easily then the TunnelVision vulnerability. Which could lead a lot of security driven users to follow a protocol of connecting to their mobile device after making sure it is on fully, doing what they need to do, disconnecting their device, then disconnecting their phone. This leak and bug discovery affects security as a whole and I think it is interesting how LONG this vulnerability has been in the wild by researcher calculation.

 

Sources

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

 

https://www.bleepingcomputer.com/news/security/android-bug-leaks-dns-queries-even-when-vpn-kill-switch-is-enabled/amp/

Dumb it down for me.

 

Will Comcast notice my acquisitions?

[Levent]

Clickbait title. Should have said "VPNs are basically useless for anonymity..."

 

VPNs are quite useful, just because you leak DNS doesnt mean you leak the entire traffic. Just because as example my home DNS leaked, doesnt mean my entire network is open to internet. I would still be suspect of MITM sure but you would need to try harder to leak data from my VPN.

[ChitterCharmer]

Just now, Dedayog said:

Dumb it down for me.

 

Will Comcast notice my acquisitions?

No. But hostile actors will. And steal anything else as if you never even had the VPN to begin with.

[YoungBlade]

3 minutes ago, ChitterCharmer said:

No. But hostile actors will. And steal anything else as if you never even had the VPN to begin with.

Best as I can tell, you need to be on the network in order for this to work. So in your own home, you'd be pretty safe, unless someone in your house is trying to snoop on you, someone gets your WiFi password, or someone breaks into your house and connects to an Ethernet port. Basically, this attack won't work without some degree of access to the router.

 

I suppose that, in theory, your ISP could use this against you if you are using their provided router, as they could maliciously update the firmware to make such an attack possible from their end. However, this could be easily circumvented by simply having your own router.

 

The one place where this seems to be a real concern is unsecured WiFi networks, as anyone can connect to them. So in theory, someone at an airport or restaurant could be using this method. Which means that, if you are using a VPN to stay safer at random WiFi locations, you're out of luck.

 

Is my understanding here correct?

[TempestCatto]

So this is specific to Android devices then? So my ISP nor the FBI have any idea how I acquired the LMG Christmas Album?

[bcredeur97]

49 minutes ago, Levent said:

Clickbait title. Should have said "VPNs are basically useless for anonymity..."

 

VPNs are quite useful, just because you leak DNS doesnt mean you leak the entire traffic. Just because as example my home DNS leaked, doesnt mean my entire network is open to internet. I would still be suspect of MITM sure but you would need to try harder to leak data from my VPN.

this isn't leaking DNS. This is changing the routing table on your client to send all it's traffic to whatever IP address the attacker specifies

Your VPN app adds an entry to the routing table to say send all traffic (0.0.0.0) through a specific IP address, which is the gateway of your VPN connection. 

But the rogue network overrides this route and says hey send traffic bound for 0.0.0.0 (any ip) through this specific gateway instead (so I can sniff it... hehe)


You can visualize this with the "route print" command in windows:


Notice how all my web traffic is instructed to go through gateway 192.168.8.1. THis is what the attacker is over-riding. 



naturally, this attack used against a VPN that's used for the purpose of reaching devices you otherwise can't access over the internet, you'll still be safe from that. The only thing you'll see is that you cannot connect to those devices and you'll think your VPN is broken. This will only work for leaking you traffic to things that are otherwise publicly available on the internet

[LAwLz]

VPNs are not meant to anonymize you. They never have, and never will. If you want anonymity, use Tor. If your selling point (anonymity) relies on a "trust me bro" policy about not logging then it is not a good service. 

 

VPNs have some other benefits though. So don't take my post as saying "VPNs are useless". 

 

This vulnerability isn't really about anonymity though. My guess is that Microsoft will patch it, if the VPN providers can set their route priority lower than what the dhcp option then Microsoft won't have to do anything. 

 

 

Please note that this attack requires a malicious DHCP server. It won't be an issue at home, but it might be an issue at for example a coffee shop. It is also detectable. So if you are worried, check your routing table. 

[Lurick]

Oh for crying out loud, this "issue" is called out in the RFC as a potential security risk, nobody discovered anything, it's right there plain as day in the standards document!!

https://datatracker.ietf.org/doc/html/rfc3442#section-7

 

 

 

 

The DNS leak is different as far as I can tell and that might be a slight issue but nothing too serious for the average user imo, however for people trying to evade nation states and nefarious entities it definitely would be an issue.

[manikyath]

"just" a vpn is useless for privacy purposes, but if you intend to surf the high seas anonymously, a VPN is part of the complete solution.

 

in other news, wearing seatbelts is useless for surviving a crash when you're driving at 200+km/h while blind drunk.

[Alex Atkin UK]

Its a bit of an odd one, given the DHCP server already knows your local IP address and whoever runs that DHCP server will already know the WAN address.  So the only real pitfall here is that they might be able to see your DNS lookups, if they aren't DNSoHTTPS/TLS.  Most anything else is already encrypted so they have limited scope to see what you are doing.

 

The main reason to use a VPN on a public network is to bypass the potential for DNS poisoning or blocking certain traffic.  Or to remote into another network, which you'll know if the VPN isn't working as you wont have access.

 

Doing this could also be a big problem for the person running the DHCP server, as if you are doing something you shouldn't be then redirecting your traffic could expose THEIR WAN IP address as doing something illegal, getting them into trouble.  Its largely in their best interest to let you use a VPN so anything you do they cannot be held responsible for.

Its hard to see what benefit there possibly is to them doing this sort of attack.

[Quackers101]

https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision

 

also about other DNS stuff, recently and android.

tech be leaking everywhere, what happened to my data? gotta go down on the DNS to bring out the NES.

https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the-vpn-tunnel-on-android

Edited May 7 by Quackers101

[leadeater]

3 hours ago, YoungBlade said:

Best as I can tell, you need to be on the network in order for this to work. So in your own home, you'd be pretty safe

 

3 hours ago, YoungBlade said:

Is my understanding here correct?

Yes

[leadeater]

2 hours ago, LAwLz said:

Please note that this attack requires a malicious DHCP server. It won't be an issue at home, but it might be an issue at for example a coffee shop. It is also detectable. So if you are worried, check your routing table. 

All the VPN clients are just going to do route table checks going forward now that a fuss has been made about it. It's something they should have been doing anyway.

[Salted Spinach]

Clickbait title...

 

VPNs still do their job

 

1

If you are target of an attack that has access to your local network, it is not surprising they have opportunity to snoop in on your activity.

 

Quote

The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android.

Unless you have a VPN client like Mullvad's that blocks all requests from client device that does not go directly to the tunnel.

 

2

As for the Android DNS leak, it is a bug that only affects certain apps and happens momentarily. Once you are locked in to your VPN tunnel, there be no leaks.

 

The only reason there is no real solution right now for the Android leak, is because Android OS is not stopping getaddrinfo calls for the moments when you lose tunnel connection. This is beyond any VPN app control.

[Stahlmann]

Despite what most VPNs promise, even basic things like bypassing geo-blocks don't work most of the time. Netflix, for example, knows it's going through a VPN and will simply stop working until you turn it off.

 

Since I don't sail the seven seas or buy weapons-grade uranium on a daily basis, and I don't use public WiFi, I don't see much use for one anyway.

 

14 hours ago, LAwLz said:

VPNs are not meant to anonymize you. They never have, and never will.

Funny how this is still the #1 marketing point every VPN makes. Isn't that basically just false advertising, and if it is, why doesn't anyone crack down on it?

[Doobeedoo]

What about using VPN on VM setting it's own IP or route it's traffic through hosts IP also using TOR with VPN it's a bad idea if you're not advanced user knowing what to set up?

[LAwLz]

4 hours ago, Stahlmann said:

Funny how this is still the #1 marketing point every VPN makes. Isn't that basically just false advertising, and if it is, why doesn't anyone crack down on it?

I am not so sure VPNs do tout anonymity as one of the main benefits. I think a lot of them talk about privacy but that's not the same thing as anonymity. 

 

I think the "privacy" argument is very much overplayed as well though, since that too relies on a "we pinky promise that we don't look at your traffic".

[jagdtigger]

5 hours ago, Stahlmann said:

Despite what most VPNs promise, even basic things like bypassing geo-blocks don't work most of the time. Netflix, for example, knows it's going through a VPN and will simply stop working until you turn it off.

You give them too much credit. Their method is basically stone age: blanket block anything that is not residential.

/ON
Watch VPN's getting updated to counter this by deleting such routes.......

Edited May 8 by jagdtigger

[wanderingfool2]

19 minutes ago, LAwLz said:

I am not so sure VPNs do tout anonymity as one of the main benefits. I think a lot of them talk about privacy but that's not the same thing as anonymity. 

 

I think the "privacy" argument is very much overplayed as well though, since that too relies on a "we pinky promise that we don't look at your traffic".

I think in this case they are sort of one in the same.  Like I know that there is a difference, but the general idea of not "logging" the traffic and making it so that you can download [i.e. torrents] without being able to be identified I think is a selling point for some people [and I know some of those people who do it to prevent getting those copyright notices].

 

I do agree with your "privacy" argument though...how many times has it come to light now that a VPN company has violated that trust by inspecting traffic.  VPN's ultimately are good for connecting to the internet where you really don't trust the people who either provided the wifi or plug...or when you are trying to get better deals based on location/viewing content not available in your region.

 

20 hours ago, ChitterCharmer said:

No. But hostile actors will. And steal anything else as if you never even had the VPN to begin with.

The vast majority of places now have https pretty much on everything important.  Unless you are doing corporate work, for the vast majority of people who use VPN this really won't have much of an issue as surfing the web will not really compromise much [because it will be encrypted anyways]

[starsmine]

5 hours ago, Stahlmann said:

Despite what most VPNs promise, even basic things like bypassing geo-blocks don't work most of the time. Netflix, for example, knows it's going through a VPN and will simply stop working until you turn it off.

yea. This is just a game of whack a mole that netflix is obligated to play. The company itself does not care, its license holders that do because they want to have a different sale in every market so netflix cant provide it to markets it does not have the license for or they run into trouble.  

my VPN refuses to play that game so it never works in terms of netflix geoblocking, others do. But I never use mine with that goal anyways, its just annoying as I have my VPN on by default. Now i just split tunnel MS edge anyways since it has better streaming support anyways. 

Netflix doesn't know if something is a VPN though, it just has a black list of IP addresses and adds them as they start to suspect one is. Some VPNs will roll through new IP addresses to do this, hence whack a mole. 

 

  

6 minutes ago, wanderingfool2 said:

I do agree with your "privacy" argument though...how many times has it come to light now that a VPN company has violated that trust by inspecting traffic. 

Any that have been gotten a subpoena for the logs and were unable to provide said logs.
There are a few VPNs like that. 

[Dracarris]

1 hour ago, starsmine said:

Any that have been gotten a subpoena for the logs and were unable to provide said logs.
There are a few VPNs like that. 

Any chance PIA is among those?  

[starsmine]

18 minutes ago, Dracarris said:

Any chance PIA is among those?  

as far as I know https://torrentfreak.com/private-internet-access-no-logging-claims-proven-true-again-in-court-180606/ But I have not looked that deeply into it, nor care to. 

[Mark Kaine]

WRONG. thing tested the wrong thing. nobody ever uses vpn for "privacy" only reason to use vpn is to illegally watch or consume region restricted content.  hope this helps ~

[Mark Kaine]

17 hours ago, Stahlmann said:

Funny how this is still the #1 marketing point every VPN makes

yeah... because they *cannot* say the true use case without getting used into oblivion